Trusted biometric device

ABSTRACT

A computer-implemented method for enhancing the security of informational interactions with a biometric device is disclosed. The method includes pre-establishing an encryption relationship between a computing device and the biometric device. An instruction is received to begin an authorization or enrollment session. A session packet is generated and encrypted. The session packet is transmitted to the biometric device. A biometric information packet is received and decrypted. A determination is made, based on a content of the decrypted biometric information packet, as to whether or not to utilize a collection of biometric data contained in the decrypted biometric information packet.

REFERENCE TO RELATED CASE

[0001] This application claims priority from U.S. ProvisionalApplication Serial No. 60/398,419 filed on Jul. 25, 2002, and entitled“TRUSTED BIOMETRIC DEVICE.”

BACKGROUND OF THE INVENTION

[0002] The present invention generally pertains to biometric securitysystems. More specifically, the present invention pertains to biometricsecurity systems that provide an enhanced defense against unlawfulhackers and other system attackers.

[0003] Within a typical biometric security system, there are at leasttwo operations, enrollment and authentication. The operation ofenrollment encompasses the original sampling of a person's biometricinformation, and the creation and storage of a match template (a.k.a.,an enrollment template) that is a data representation of the originalsampling. The operation of authentication includes an invocation of abiometric sample for the identification or verification of a system userthrough comparison of a data representation of the biometric sample withone or more stored match templates.

[0004] Biometric information is, by nature, reasonably public knowledge.A person's biometric data is often casually left behind or is easilyseen and captured. This is true for all forms of biometric dataincluding, but not limited to, fingerprints, iris features, facialfeatures, and voice information. As an example, consider two friendsmeeting. The one friend recognizes the other by their face and othervisible key characteristics. That information is public knowledge.However, a photo of that same person ‘is’ not that person. This issuesimilarly applies, electronically, to computer-based biometricauthentication wherein a copy of authorized biometric information issusceptible to being submitted as a representation of the correspondingoriginal information. In the context of biometric security applications,what is important, what enables a secure authentication, is a unique andtrusted invocation of an authorized biometric.

[0005] A key issue confronting biometric authentication for securityapplications is providing some sort of assurance that the biometricsample being processed is a true and trusted sample. Numerous knownbiometric security systems are susceptible to being duped because a datarepresentation received by a security processor is actually a fraudulentinvocation of biometric information. For example, an individual inpossession of a copy of authorized biometric information can submit thecopy to enable unauthorized access. In a particularly dangerousscenario, an individual in possession of an electronic copy ofauthorized biometric information can fraudulently bypass the physicalcollection of biometric information and directly submit the copy to anelectronic security processor to enable unauthorized access.

[0006] To ensure a trusted invocation of biometric information, theintegrity of any transfers of information between a capture device and aprocessor should be maintained. In particular, the processor responsiblefor receiving and processing biometric information submitted by a usershould be able to ‘trust’ the biometric data it receives. In otherwords, there should be a trusted relationship between a device thatgathers a user's biometric information (i.e., a fingerprint scanner) anda security processor responsible for processing that biometricinformation.

[0007] Ensuring that access is granted only upon unique and trustedinvocations of authorized biometric information is a challenge relevantto most biometric security systems.

BRIEF DESCRIPTION OF THE DRAWINGS

[0008]FIG. 1 is a block diagram of a user authentication system.

[0009]FIG. 2 is a flow diagram illustrating operations performed inassociation with the user authentication system.

[0010]FIG. 3 is a schematic block diagram illustrating one example of anenvironment within which embodiments of the present invention can beimplemented.

[0011]FIG. 4 is a flow diagram illustrating steps associated with amethod for enabling trusted communication between a biometric device anda computer.

[0012]FIG. 5 is a flow diagram illustrating steps associated withgenerating a session packet.

[0013]FIG. 6 is a block diagram representation of a session packet.

[0014]FIG. 7 is a flow diagram illustrating steps performed inassociation with generating a biometric information packet.

[0015]FIG. 8 is a block diagram representation of a biometricinformation packet.

[0016]FIG. 9 is a flow diagram illustrating steps associated withprocessing a received biometric information packet.

SUMMARY OF THE INVENTION

[0017] Embodiments of the present invention pertain to acomputer-implemented method for enhancing the security of informationalinteractions with a biometric device. The method includespre-establishing an encryption relationship between a computing deviceand the biometric device. An instruction is received to begin anauthorization or enrollment session. A session packet is generated andencrypted. The session packet is transmitted to the biometric device. Abiometric information packet is received and decrypted. A determinationis made, based on a content of the decrypted biometric informationpacket, as to whether or not to utilize a collection of biometric datacontained in the decrypted biometric information packet.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

[0018] I. Illustrative Contextual Environments

[0019] Various aspects of the present invention pertain to biometricsecurity systems that provide an enhanced defense against unlawfulhackers and other system attackers. The concepts of the presentinvention are designed to operate in conjunction with a broad range ofgeneral security applications, including but not limited to physicalaccess security applications, computer network security applications,individual computer security applications, Internet based applicationsand systems, as well as other security applications. The methods andsystems of the present invention are also generally suitable forimproving the performance and reliability of user authenticationsystems.

[0020] Embodiments of the present invention can be implemented torestrict access to secure data. Embodiments can also or alternatively beimplemented to enhance security provided in association with a varietyof access points. Some of these access points are associated with aphysical space, such as a building, a room, a particular airportterminal, an airplane, etc. In accordance with one embodiment, abiometric scanner is physically positioned within an unsecured area,while access to a separated secured area is denied to anyone who isunable to present authorized biometric information to a biometricscanner for processing by an associated access control program. Inaccordance with another embodiment, a biometric scanner is physicallypositioned on an unsecured side of a locked door that remains lockeduntil authorized biometric information is received by a biometricscanner and adequately processed by an associated access controlprogram.

[0021] Embodiments of the present invention can also be implemented toenhance security provided in association with electronic access points.Through interaction with a computing device, a user is able to encountera wide variety of functional and informational access points ortransaction access points, most all of which can potentially be securedwith the systems and methods of the present invention.

[0022] A potentially securable electronic access point is encounteredwhen a user is presented with an ability to gain general access to aparticular computer network (e.g., a particular LAN, the Internet,etc.). Another potentially securable electronic access point isencountered when a user is presented with an ability to access aparticular collection of information (e.g., medical records, accountinformation, personnel information, protected data files, etc.) that isstored on the computing device with which the user is interacting, or isaccessibly stored on a remote computing device. Another potentiallysecurable electronic access point is encountered when a user ispresented with an ability to access and operate a particular programthat is stored on the computing device with which the user isinteracting, or is accessibly stored on a remote computing device. Stillother potentially securable electronic access points are encounteredwhen a user is presented with an ability to access information storedwithin a particular file or directory, or an ability to access a classof information that is identified in a particular manner (e.g.,confidential), or an ability to utilize functions associated withanother independent device (e.g., a particular camera, scanner, cashdrawer, vault, etc). These are only a few of many electronic accesspoints that could be secured utilizing the systems and methods of thepresent invention.

[0023] The present invention is useful with various types of biometrictechnology. Specific technologies include iris or retina eye-scantechnology, voice technology, face technology, hand geometry technology,DNA technology, spectral biometric technology and fingerprinttechnology, for example. To the extent that the present descriptiondescribes a fingerprint-based system, such description is intended to bebut one example of a suitable system. The scope of the present inventionis not so limited.

[0024] II. Illustrative Operational Environment

[0025]FIG. 1 is a block diagram of a user authentication system 10. Userauthentication system 10 includes a reader portion 12, imageanalyzer/processor 14 and searchable database 16, which further includesan output 15. Reader portion 12 can be any of a number of known systemscapable of scanning an image of a fingerprint and transferring datapertaining to the image to an image analyzer, such as imageanalyzer/processor 14.

[0026] In many cases, reader portion 12 will include an optical orelectronic device that includes a platen designed to receive the fingerto be imaged. A digitized image of biometric information is produced.The reader commonly uses light or electricity to image the finger'spattern. The digitized image is transferred out of reader portion 12 toimage analyzer/processor 14. Image analyzer/processor 14 varies withapplication, but generally analyzes the image data received for a widevariety of purposes and applications.

[0027] Image analyzer/processor 14 is illustratively configured tocreate an authentication model (a.k.a., image model) based on theparticular features and characteristics of images received from readerportion 12. In accordance with one embodiment, authentication models aremore than facsimiles of their associated fingerprint images and includea unique range of data elements that provide various analyticalopportunities. Authentication model creation is described in U.S. patentapplication Ser. No. 09/991,589, filed on Nov. 16, 2001, entitled IMAGEIDENTIFICATION SYSTEM, which is owned by the present Applicant, and thecontents of which are hereby incorporated by reference in theirentirety.

[0028] In one embodiment, image analyzer/processor 14 directly orindirectly compares data elements of a generated authentication model todata elements of at least one other authentication model stored withinsearchable database 16. The authentication models stored in database 16illustratively correspond to previously obtained scanned images, whilethe authentication model being compared illustratively corresponds to acontemporaneously scanned image. User authentication system 10 isconfigured to efficiently make a determination as to whether theauthentication model corresponding to the contemporaneously scannedfingerprint is substantially similar to any of the authentication models(or directly related data collections) included within the searchabledatabase 16. In this manner, user authentication system 10 provides anefficient and accurate fingerprint image identification system. Such asystem is used, for instance, as a security measure to determine whetherthe person who places a finger on the reader portion 12 should beauthorized to enter a room, to access a bank account or to take anyother variety of actions.

[0029] As is shown in FIG. 1, searchable database 16 includes an output15. The precise nature of output 15 depends on the context within whichuser authentication system 10 is to be applied. For instance, output 15could be a positive or negative match indication, or an identificationindicator of an authentication model or data collection contained insearchable database 16 that substantially matches or corresponds to theimage scanned by reader portion 12. These are but several examples ofthe many potential forms of output 15. In addition, output 15 caninclude data to be communicated to an application.

[0030] III. Operational Overview

[0031]FIG. 2 is a flow diagram illustrating operations to be carried outwithin system 10, for example within analyzer/processor 14, inaccordance with an embodiment of the present invention. The processbegins when image analyzer/processor 14 receives image data from readerportion 12. After receiving image data, image analyzer/processor 14illustratively first performs, as is indicated by block 18 in FIG. 2, aseries of image qualification functions. The image qualificationfunctions are illustratively optional.

[0032] Briefly, image qualification 18 involves quickly processing allor part of the available image data to ensure that the received image isa scan of a real fingerprint (as opposed to a fraudulent fingerprint)and of sufficient quality to proceed with processing. In one embodiment,if the image qualification process leads to the conclusion that thescanned image is fraudulent or of insufficient quality, then processingof the image is interrupted. In such a case, the system user is providedwith feedback pertaining to identified inadequacies and is allowed tocontinue processing only when the inadequacies have been corrected.

[0033] In accordance with one aspect of the present invention, imagequalification 18 can include means for providing assurance that reader12 is a trusted biometric device, and that received images are notsomehow fraudulent. This aspect of the present invention will bedescribed below in detail in relation to FIGS. 3-9.

[0034] Block 20 in FIG. 2 represents the point at which qualified imagedata has been obtained. After qualified image data has been obtained,the image data is utilized for at least one of two purposes, namely,enrollment and authentication. Block 22 represents the enrollmentprocess during which match templates are generated (i.e., based ondigitized qualified image data) and entered into, and illustrativelycatalogued within, searchable database 16. Block 24 represents theauthentication process that includes comparing data associated with aninvocation of biometric data with stored data for the purpose ofdetermining whether access should be granted or denied.

[0035] In accordance with one embodiment, data representations generatedduring processes 22 and 24 are generated in accordance with the samealgorithm, or two substantially similar algorithms, such that they areproduced in the same, or a substantially similar, format. In accordancewith one embodiment; however, substantially different but relatedalgorithms are utilized. Accordingly, the generated data representationsare related but not identical. This enables an indirect,relationship-based comparison process during authentication. Thisindirect comparison process is the subject of a copending applicationthat is owned by the present Applicant.

[0036] As is indicated by block 26 in FIG. 2, a database search 26 canbe performed in association with model comparison 24 to determine which,if any, of multiple match templates stored in the searchable databaseadequately match a data representation generated during theauthentication of a “live” invocation. Illustratively, database search26 is a quick and efficient determination as to which, if any, ofpotentially thousands, or even millions, of enrollment templates (ordata collections related thereto) within database 16 exhibit a desiredlevel of similarity, as compared to a target representation of a “live”invocation. Searching can be done by biometric information alone, or bysome identifier like employee ID, User ID, account number, etc. Inaccordance with one embodiment, an identifier (i.e., an employee ID,User ID, account number, etc.) is utilized to select a single collectionof data from database 16 to be compared to a target representation of a“live” invocation on a one-to-one basis.

[0037] In accordance with one embodiment, a set of database keys thatdescribe different match template characteristics are defined tofacilitate general rather than specific comparisons to be made duringthe database search 26 process.

[0038] IV. Trusted Biometric Device Methods and Systems

[0039] The foundation behind the described security environments andapplications lies in an ability to obtain a unique and trustedinvocation of a user's biometric data. Accordingly, the process ofgathering a user's biometric information and transferring it forprocessing should be protected, trusted and secured. A transferredcollection of biometric data should be worthy of being trusted as a truerepresentation of a user's newly presented biometric information (i.e.,a “live” invocation). The analyzer/processor should be able to ‘trust’the biometric data it receives. Preventing a replay (i.e., electronicreplay) of biometric data is paramount.

[0040] In accordance with one aspect of the present invention, FIG. 3illustrates a general block diagram of an environment within which imagequalification may be implemented to add assurance that reader 12(FIG. 1) is a trusted biometric device, and that received images are notsomehow fraudulent. Image analyzer/processor 14 (FIG. 1) is implementedon a computer 32. As was described in relation to FIG. 1, reader 12 isconfigured to receive biometric information from a system operator andtransfer corresponding information to analyzer/processor 14 forauthentication, enrollment, etc.

[0041] An encryption component 34 and an encryption program 36 areillustratively operably stored with reader 12. In accordance with oneembodiment, encryption program 36 is implemented as device firmware. Inaccordance with another embodiment, encryption program 36 is executed inassociation with a flash memory implementation. An encryption component38 and an encryption program 40 are illustratively operably stored withcomputer 32. In accordance with one embodiment, encryption program 40 isimplemented as software. Encryption component 34 and encryptioncomponent 38 are illustratively related encryption values (e.g., eachcomponent is one portion of a related PKI encryption key pair).

[0042]FIG. 4, in accordance with one aspect of the present invention,illustrates a method that is generally applicable within the environmentdiscussed in relation to FIG. 3.

[0043] Initially, as is indicated at step 102, an encryptionrelationship is pre-established between reader 12 and computer 32. Inone mode of operation, each of the reader 12 and the computer 32includes a separate but related encryption component. For example, as isillustrated, reader 12 has encryption component 34 and computer 32 hasencryption component 38. Encryption component 34 is directly affiliatedwith the encryption component 38 (e.g., one of the encryption componentsis utilized to decrypt information that has previously been encryptedutilizing the other encryption component). In accordance with oneembodiment, encryption component 34 is a first part of a PKI key pairand encryption component 38 is a second part of the key pair. One of thefirst and second parts of the PKI key pair is illustratively a privateencryption key and the other is illustratively a corresponding publicencryption key. Related encryption component pairs other than a PKI pair(e.g., a predetermined related static key pair) could be utilizedwithout departing from the scope of the present invention.

[0044] After an encryption relationship has been pre-established betweenreader 12 and computer 32, the next step, in accordance with step 104,is for reader 12 to request access from computer 32. It should be notedthat the request need not come directly from the biometric device. Therequest can actually come from an independent application associatedwith the biometric device (i.e., an independent software application),or from an independent device associated with the biometric device. Inaccordance with one embodiment, the request corresponds to a command orsimilar interaction initiated by a system operator. Once access has beenrequested, assuming that the requested access involves restricted orsecured rights, the computer 32 initiates an authorization session atstep 106. Illustratively, an authorization session opens upon initiationand closes after a predetermined time period. The predetermined timeperiod is illustratively chosen to be about as long, with whatever leador support time is required, as it takes to complete a scan or readingof a system operator's biometric information. Thus, if the systemoperator delays too long in performing the biometric read, the read isnot accepted. It should be noted that the security processes of thepresent invention are not limited to the authentication process. Similarsteps could just as easily be carried out in association with anenrollment or some other process that would benefit from securecomputing device—biometric device interaction.

[0045] At step 108, the computer 32 generates a session packet (e.g.,computer 32 responds to software instructions). A session packetillustratively includes two items. A first included item is a sessionnumber, which is a unique, illustratively non-consecutive, number thatis created for each session packet. A session packet is created for eachinitiated session. A session is initiated for each request for access toa secured item. A second item included in a session packet is oneportion of a PKI key pair, illustratively a public key portion.

[0046] After the session packet has been generated, it is encryptedutilizing the pre-established encryption component associated withcomputer 32. The encrypted session packet is then transmitted to reader12. A copy of the session number is illustratively retained with thecomputer 32. A private key is also retained. The private keyillustratively corresponds to the public key that is encrypticallystored within the session packet.

[0047] During step 110, reader 12 generates a biometric informationpacket. To accomplish this, reader 12 utilizes the encryption component34 to decrypt the session packet. Accordingly, reader 12 then has accessto the public key stored in the session packet. Reader 12 then collectsbiometric information from a system operator. The collected biometricinformation and the session number illustratively comprise at least twoparts of a biometric information packet. The biometric informationpacket is encrypted utilizing the public key that was transferred toreader 12 within the session packet.

[0048] The encrypted biometric information packet is transmitted to thecomputer 32. There, the retained private key is utilized to decrypt thebiometric information packet, which was encrypted with a correspondingpublic key (the public key sent previously within the session packet).As is indicated at step 112, the retained session number is compared tothe received session number to be sure that the two values match. Acheck is made to be sure that the received session number was receivedwithin a proper predetermined time frame (e.g., as measured from themoment the session number was created). If the session number does notmatch or was not received in time, then the biometric information is notutilized for any subsequent purpose (i.e., authentication, enrollment,etc.) Assuming the session numbers do match and timing is adequate, thesystem operator's biometric information can then be transferred toanalyzer/processor 14 for processing (i.e., for authentication,enrollment, etc.)

[0049] In accordance with the present invention, computer 32 generates asession packet according to method 400 illustrated in FIG. 5. At step402, computer 32 initiates an authorization session. Next, a sessionnumber and session key (a public key) is generated at step 404. At step406, session data (e.g., the session number and a time stamp) is stored.A private key that corresponds to the public session key is stored forlater decryption of data sent from reader 12. Session packet informationis assembled at step 408. Next, at step 410, the session packetinformation is encrypted using encryption component 38.

[0050] As a result of the steps of method 400, a session packet 500,illustrated in FIG. 6, is generated. As illustrated, session packet 500is encrypted with encryption component 38 and is then ready to betransmitted to reader 12. Session packet 500 includes session packetinformation 506, which illustratively includes session number 508,session key 510 (public key), time stamp 514 and other data 516. Timestamp 514 can optionally not be included in the packet. Time stamp 514can simply be maintained on the computer with its corresponding sessionnumber for subsequent comparison purposes.

[0051] Session number 508 is illustratively a non-sequential number thatis unique to a particular session. Session key 510 (public key) can alsobe unique to a particular session but does not have to be. Whether ornot the public key does vary, a corresponding private key should beaccessible to the computer. Timestamp 514 is a time value indicative ofa time associated with the session initiation. Other data 516 may alsobe provided with session data 506. After session packet 500 is assembledand encrypted in accordance with encryption component 38, it istransmitted to reader 12.

[0052] Once reader 12 receives session packet 500, reader 12 performsmethod 550 illustrated in FIG. 7. The method includes decrypting thesession packet at step 552. This decrypting is completed using anencryption component, in particular, encryption component 34 illustratedin FIG. 3. Once the session packet is decrypted, reader 12 collectsbiometric identification information from a system operator (e.g., basedon the command received in a session packet). In one mode of operation,the user will perform a fingerprint scan utilizing reader 12. Othertypes of identification may also be used. At step 556, an image isgenerated. At step 558, biometric information packet information isassembled. The biometric information packet information illustrativelyincludes the session number sent in the session packet and the imagegenerated in step 556. Once the biometric information packet informationis assembled, the packet is encrypted with the session key (public key)sent in session packet 500. This is completed in step 560.

[0053]FIG. 8 illustrates biometric information packet 600. Biometricinformation packet 600 is encrypted with session key (the public key)and includes packet information 606. Packet information 606 includessession number 508, authentication model 608 (or some other form ofbiometric information) and other data 610. The biometric informationpacket can also illustratively include a time stamp, such as anindependently generated time stamp or time stamp 514 to assist in laterdetermining whether the biometric information packet was received withinthe predetermined time period. Once biometric information packet 600 isassembled, it is transmitted to computer 32.

[0054] Once computer 32 has received biometric information packet 600,method 650, illustrated in FIG. 9, is performed. Initially, thebiometric information packet 600 is decrypted utilizing the retainedsession key (the private key) at step 652. Next, at step 654, thesession number is validated. In order to provide enhanced security, theauthorization may be declined if the session number is not valid, forexample, if it does not match the retained value, or, if the biometricinformation packet was not received within a specified amount of time.Authorization is declined at step 656. If a valid session number isreceived, processing is allowed to continue at step 658. This may beperformed as illustrated in FIG. 2. Again, the present invention is notlimited to the authentication process. It could just as easily beapplied in the context of an enrollment or some other process.

[0055] Although the present invention has been described with referenceto preferred embodiments, workers skilled in the art will recognize thatchanges may be made in form and detail without departing from the spiritand scope of the invention.

What is claimed is:
 1. A computer-implemented method for enhancing thesecurity of informational interactions with a biometric device,comprising: pre-establishing an encryption relationship between acomputing device and the biometric device; generating a session packet,encrypting it, and transmitting it to the biometric device; andreceiving a biometric information packet, decrypting it, and making adetermination, based on a content of a collection of informationcontained in the decrypted biometric information packet, as to whetheror not to utilize a collection of biometric data contained in thedecrypted biometric information packet.
 2. The method of claim 1,wherein generating a session packet comprises generating a sessionnumber and storing it in the session packet.
 3. The method of claim 2,further comprising storing the session number in a database associatedwith the computing device.
 4. The method of claim 1, wherein generatinga session packet comprises obtaining a session key and storing it in thesession packet.
 5. The method of claim 4, further comprising storing thesession key in a database associated with the computer.
 6. The method ofclaim 4, wherein receiving a biometric information packet and decryptingit comprises receiving a biometric information packet and decrypting itwith an encryption key that is complimentarily related to the sessionkey.
 7. The method of claim 4, wherein obtaining a session key comprisesgenerating a public key portion of a PKI key pair.
 8. The method ofclaim 7, wherein receiving a biometric information packet and decryptingit comprises receiving a biometric information packet and decrypting itwith a private key portion of the PKI key pair.
 9. The method of claim1, wherein receiving a biometric information packet and decrypting itcomprises receiving a biometric information packet and decrypting itwith an encryption component that is independent of the pre-establishedencryption relationship.
 10. The method of claim 1, wherein generating asession packet comprises generating a session time stamp and storing itin the session packet.
 11. The method of claim 1, wherein generating asession packet comprises: generating a session number and storing it inthe session packet; and obtaining a session key and storing it in thesession packet.
 12. The method of claim 11, further comprising storingthe session number, the session key and a session time stamp in adatabase associated with the computer.
 13. The method of claim 1,wherein making a determination comprises comparing a session number to alist of valid values.
 14. The method of claim 1, wherein making adetermination comprises evaluating a session time stamp to determinewhether the biometric information packet was received within apredetermined time period.
 15. The method of claim 1, wherein making adetermination comprises comparing a data representation of a user'sbiometric information to at least one data representation of biometricinformation stored in a database.
 16. The method of claim 1, whereinmaking a determination comprises: comparing a session number to a listof valid values; evaluating a session time stamp to determine whetherthe biometric information packet was received within a predeterminedtime period; and comparing a database representation of a user'sbiometric information to at least one data representation of biometricinformation stored in a database.
 17. The method of claim 1, whereinpre-establishing an encryption relationship comprises storing a firstencryption component with the computing device and a second encryptioncomponent with the biometric device, one of the first and secondencryption components being configured to decrypt information that haspreviously been encrypted utilizing the other of the first and secondencryption components.
 18. The method of claim 17, wherein encryptingthe session packet comprises encrypting the session packet utilizing oneof the first and second encryption components.
 19. The method of claim1, wherein pre-establishing an encryption relationship comprises storinga first part of a PKI key pair with the computing device and a secondpart of the PKI key pair with the biometric device.
 20. The method ofclaim. 19, wherein encrypting the session packet comprises encryptingthe session packet utilizing one of the first and second parts of thePKI key pair.
 21. The method of claim 1, wherein pre-establishing anencryption relationship comprises storing a first part of a staticencryption key pair with the computing and a second part of the staticencryption key pair with the biometric device, one of the first andsecond parts being configured to decrypt information that has previouslybeen encrypted utilizing the other part.
 22. The method of claim 21,wherein encrypting the session packet comprises encrypting the sessionpacket utilizing one of the first and second parts of the staticencryption key pair.
 23. A data packet for transmission from a computerto a biometric device during a process of authentication within abiometric security system, the data packet comprising: a session key,the session key being an encryption key configured to be utilized toencrypt data.
 24. The data packet of claim 23, wherein the session keyis a public key portion of a PKI key pair.
 25. The data packet of claim23, further comprising a session number.
 26. The data packet of claim25, wherein the session number is a value that corresponds to a sessioninitiated when the data packet is generated.
 27. A biometric deviceconfigured to support a secure transfer of biometric information to acomputing device, the biometric device comprising: a biometricinformation receiver configured to capture an individual's biometricinformation; a processor configured to process the biometric informationand produce a digitized representation thereof; a memory accessiblyconnected to the processor; and an encryption component stored in thememory, the processor being configured to receive an encrypted sessionpacket from the computing device and decrypt it utilizing the encryptioncomponent.
 28. The biometric device of claim 27, wherein the encryptioncomponent is implemented as firmware.
 29. The biometric device of claim27, wherein the encryption component is implemented in association witha flash memory application.
 30. The biometric device of claim 27,wherein the encryption component is one part of a PKI key pair.
 31. Thebiometric device of claim 27, wherein the encryption component is onepart of a static encryption key pair.
 32. The biometric device of claim27, wherein the processor is further configured to place the digitizedrepresentation into a biometric information packet.
 33. The biometricdevice of claim 32, wherein the processor is further configured toencrypt the biometric information packet utilizing a specializedencryption component contained in the session packet.
 34. The biometricdevice of claim of 33, wherein the processor is further configured totransfer the encrypted biometric information packet to the computer. 35.A computer readable medium having instructions stored thereon which,when executed by a computing device, cause the computing device toperform a series of steps comprising: receiving a session initiationcommand; generating a session packet; encrypting the session packet;transmitting the encrypted session packet to a biometric device;receiving a biometric information packet from the biometric device;decrypting the biometric information packet; and determining, based on acontent of a collection of authentication information contained in thedecrypted biometric information packet, whether or not to utilize acollection of biometric data contained in the decrypted biometricinformation packet.
 36. The computer readable medium of claim 35,wherein generating a session packet comprises generating a sessionnumber and storing it in the session packet.
 37. The computer readablemedium of claim 36, further comprising the step of storing the sessionnumber in a database associated with the computing device.
 38. Thecomputer readable medium of claim 35, wherein generating a sessionpacket comprises obtaining a session key and storing it in the sessionpacket.
 39. The computer readable medium of claim 38, further comprisingthe step of storing the session key in a database associated with thecomputer.
 40. The computer readable medium of claim 38, whereinreceiving a biometric information packet and decrypting it comprisesreceiving a biometric information packet and decrypting it with anencryption key that is complimentarily related to the session key. 41.The computer readable medium of claim 38, wherein obtaining a sessionkey comprises generating a public key portion of a PKI key pair.
 42. Thecomputer readable medium of claim 41, wherein receiving a biometricinformation packet and decrypting it comprises receiving a biometricinformation packet and decrypting it with a private key portion of thePKI key pair.
 43. The computer readable medium of claim 35, whereingenerating a session packet comprises generating a session time stampand storing it in the session packet.
 44. The computer readable mediumof claim 35, wherein determining comprises comparing a session number toa list of valid values.
 45. The computer readable medium of claim 35,wherein determining comprises evaluating a session time stamp todetermine whether the biometric information packet was received within apredetermined time period.
 46. The computer readable medium of claim 35,wherein encrypting the session packet comprises encryption the sessionpacket with a first encryption component that is complimentarily relatedto a second encryption component maintained on the biometric device, oneof the first and second encryption components being configured todecrypt information that has previously been encrypted utilizing theother of the first and second encryption components.
 47. The computerreadable medium of claim 46, wherein the first and second encryptioncomponents are a PKI key pair.
 48. The computer readable medium of claim46, wherein the first and second encryption components are a staticencryption key pair.